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Abstract. The paper describes an abstraction for protocols that are 
based on multiple rounds of Chaum's Dining Cryptographers protocol. 
It is proved that the abstraction preserves a rich class of specifications 
in the logic of knowledge, including specifications describing what an 
agent knows about other agents' knowledge. This result can be used to 
optimize model checking of Dining Cryptographers-based protocols, and 
applied within a methodology for knowledge-based program implementa- 
tion and verification. Some case studies of such an application are given, 
for a protocol that uses the Dining Cryptographers protocol as a prim- 
itive in an anonymous broadcast system. Performance results are given 
for model checking knowledge-based specifications in the concrete and 
abstract models of this protocol, and some new conclusions about the 
protocol are derived. 



1 Introduction 

Relations of abstraction (and their converse, refinement) are valuable tools for 
program verification. In this approach, we relate a (structurally complex) con- 
crete program to a (simpler) abstract program by means of a relation that is 
known to preserve the properties that we wish to verify in the concrete program. 
When such a relation can be shown to hold, we are able to verify these proper- 
ties in the concrete program by showing that they hold in the abstract program, 
which is generally easier in view of the lesser structural complexity of the abstract 
program. In particular, model checkers can be expected to run more efficiently 
on the abstract program than on the concrete program, and abstraction is often 
used to bring the verification problem within the bounds of feasibility for model 
checking. Conversely, starting with the abstract program, and having verified 
that this satisfies the desired properties, we may derive the concrete program 
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and conclude that this also satisfies these properties. This perspective is the 
basis for "correctness-by-construction" or top-down refinement approaches to 
program verification. 

Our contribution in this paper is to establish the correctness of an abstraction 
relation for abstract programs based on use a trusted third party for anonymous 
broadcast, which is implemented in the related concrete programs by means 
of the Dining Cryptographers protocol proposed by Chaum pQ. That Chaum's 
protocol implements anonymous broadcast is, of course, well-known, but we show 
that this statement holds in a more general sense than is usually considered in 
the literature, where the focus is generally on the very particular property of 
anonymity. Specifically, we consider a broad class of properties formulated in 
the logic of knowledge, including properties in which agent knowledge is nested, 
such as "Alice knows that Bob knows that p" . We show that the abstraction 
relation between programs based on the trusted third party and programs based 
on the Dining Cryptographers protocol preserves all properties from this class. 

As an application of this result, we consider a protocol from Chaum's paper 
[4] that uses multiple rounds of the Dining Cryptographers protocol to build 
a more general anonymous broadcast system. We have previously studied this 
protocol from the perspective of a model checking based methodology for the 
implementation of knowledge-based programs [2J, by treating the specification 
of the protocol as a knowledge-based program containing nested knowledge for- 
mulas. 

Knowledge-based programs [§] are an abstract, program-like form of speci- 
fication, that describe how an agent's actions are related to conditions stated 
in terms of the agent's knowledge. The advantage of this level of abstraction 
is that it provides a highly intuitive description of the intentions of the pro- 
grammer, that has been argued to be easier to verify than the complex imple- 
mentations one typically finds for highly optimized distributed programs [13|9j . 
Knowledge-based programs cannot be directly implemented, however, so they 
must be implemented by concrete programs in which the knowledge conditions 
are replaced by concrete predicates of the agent's local state. The implementa- 
tion relation between a knowledge-based program and a putative implementation 
holds when these concrete predicates are equivalent to the knowledge formulas 
that they replace (interpreted with respect to the system generated by running 
the putative implementation). Our partially- automated methodology for the im- 
plementation of knowledge-based programs uses a model checker for the logic of 
knowledge to check whether this equivalence holds, and if it does not, uses the 
counter-examples generated by the model checker to generate a revised putative 
implementation. (This process is iterated until an implementation is found.) 

In our previous work on the application of this methodology, we consid- 
ered model checking problems generated in this way from a knowledge-based 
program based on multiple rounds of the Dining Cryptographers protocol. Our 
experience was that the model checking problems we considered were close to 
the bounds of feasibility for our model checker even for instances with small 
numbers of agents, and we were prevented from considering instances of scale 



as a result. In the present paper, we apply our abstraction result in order to 
optimize the model checking problem, by performing model checking on the ab- 
stracted (trusted third party) version of the programs we consider rather than 
the concrete (Dining Cryptographers based) versions. We give performance re- 
sults showing the difference, which indicate that the abstraction is effective in 
reducing the model checking runtime by several orders of magnitude, enabling 
systems involving larger numbers of rounds of the Dining Cryptographers pro- 
tocol and larger numbers of agents to be model checked. We use the efficiency 
gains to extend our previous analysis of the knowledge based program to larger 
numbers of agents, leading to an improved understanding of its implementations. 

The structure of the paper is as follows. We begin in Section[2]by introducing 
the logic of knowledge, which provides the specification language for the prop- 
erties that are preserved by our abstraction technique, and give its semantics in 
terms of a class of Kripke structures. We define a notion of bisimulation on these 
Kripke structures that provides the semantic basis for our program abstraction 
technique. In Section [3J we introduce a simple programming language used to 
represent our concrete and abstract programs. In Section^ we introduce the Din- 
ing Cryptographers protocol and, in Section [5J its abstraction using a trusted 
third party. In Section [5] we state and prove correct the abstraction relation. 
The remainder of the paper deals with our application of this result. We recall 
the two-phase protocol in Section In Section [5] we describe knowledge-based 
programs and an approach to the use of model checking to identify their imple- 
mentations. In Section [9] we recall our formulation of the two-phase protocol as 
a knowledge-based program and describe the associated verification conditions. 
Section [10] discusses the comparative performance of model checking in the con- 
crete and abstract models when using the model checker MCK. We highlight 
some of the interesting conclusions we are able to make about implementations 
of the knowledge-based program for the round-based protocol in Section [TT] We 
discuss related work in Section [TJ] Finally, in Section Q21 we draw some conclu- 
sions and discuss future directions. 



2 Epistemic Logic and Bisimulations 



Epistemic logics are a class of modal logics that include operators whose mean- 
ing concerns the information available to agents in a distributed or multi-agent 
system. In epistemic model checking, one is generally concerned with the combi- 
nation of such operators with temporal operators, and a semantics using a class 
of structures known in the literature as interpreted systems [9] that combines 
temporal and epistemic expressiveness. We focus here on a simpler framework 
that omits temporal operators, since we are mostly interested, in our applica- 
tion, on what knowledge agents have after some program has run, and this also 
simplifies the statement and proof of our results. 



Suppose that we are interested in systems comprised of agents from a set Agt 
whose states are described using a set Var of boolean variables^ The syntax of 
the logic of knowledge C/var,Agt) i s given by the following grammar: 

0::=T|»|-^|0A0|lf# 

where v G Var is a variable and i G Agt is an agent. (We freely use standard 
boolean operators that can be defined using the two given.) Intuitively, the 
meaning of Ki<p is that agent i knows that is true. 

The semantics for the language is given in terms of Kripke structures of the 
form M — (Agt, W, {^ijieAgt, Var, it), where 

1. Agt is the set of agents, 

2. W is a set of worlds, or situations, 

3. for each i G Agt, is an equivalence relation on W , 

4. Var is a set of variables, 

5. 7r : W x Var — > {0, 1} is a valuation. 

Intuitively, W is the set of situations that the agents consider that they could be 
in, and w ~, w' if, when the actual situation is w, agent i considers it possible 
that they are in situation w' . The value n(w,v) is the truth value of variable 
v in situation w. Such a Kripke structure M is fit for the language £(var',Agt') 
if Agt' C Agt and Var' C Var. The semantics of the language is given by the 
relation M, w \= <fi, where M is a Kripke structure fit for C^v a r,Agt)i w is a world 
of M , and is a formula, meaning intuitively that the formula holds at the 
world w. The definition is given inductively by 

1. M, w \= v if n(w, v) = 1, for u G Var. 

2. M, w |= -.0 if not M, w \= <j>, 

3. M, w \= (f>i A 02 if Af, to h 0i and M, w |= 02, 

4. M, w \= Ki(f> if Af, w' \= for all «/ G TV with w ~ 4 uj', for i G Agt. 

Intuitively, the final clause says that agent i knows if it does not consider it 
possible that not 0. We write M |= 0, and say that is valid in M, if M, w \= <f> 
for all w G W. The Kripke structure model checking problem is to compute, given 
M and 0, whether M \= 0. We will use this formulation of the model checking 
problem as the basis for another notion of model checking, to be introduced 
below, that concerns a way of generating M from a program. 

One of the difficulties to be faced in model checking, the state space explosion 
problem, is the potentially large size of the set of worlds W of the structures M 
of interest. Abstractions are useful techniques for mitigating state space explo- 
sion problem. They are often applied as a preliminary step to model checking. 
Systems often encode details that are irrelevant to the properties that we aim to 
verify. Abstraction techniques enable us to eliminate such unnecessary, redun- 
dant details. However, abstractions must be sound, in the sense that properties 
that hold in the abstract model must also hold in the concrete model. 

1 We use the term "variable" rather than "proposition" in this paper, since our atomic 
propositions arise as boolean variables in a program. 



For Kripkc structures, bisimulations may provide an effective way to simplify 
redundant structure while preserving properties of interest. We formulate here a 
version that is suited to our application, in which we allow both the set of agents 
and the set of propositions to vary in the structures we consider. 

Suppose we are given a set of variables Var, a set of agents Agt, and two 
Kripke structures 

M = {Agt M ,W M ,{^} ieAgt M, Var M ,n M ) 

and 

N=(Agt N ,W N ,{~?} ieAgt »,Var N ,n N ) 

such that Agt C Agt M H Agt N and Var C Var M n Var N . (Note that these condi- 
tions imply that both M and N are fit for Ci var,A g t)-) A ( Var, ylgf)-bisimulation 
5R between M and N is defined to be a binary relation 5ft C W M x W N such 
that: 

1. Atoms: ir M (w, v) — n N (w',v) whenever wSw' and v £ Var; 

2. Forth: if i £ Agt, and W\,W2 are two worlds in M and u\ is a world in N 
such that to i ~^ w 2 and Wi5fti*i, then there is a world u-i £ Wm such that 
tti i*2 and n^Sit^; and 

3. Back: if i £ Agt and i*i, 1*2 are two worlds in N and w\ is a world in M such 
that 1*1 ~f 1*2 and uiSiioi, then there is a IU2 S Wm such that iwi 102 
and U2$iw2- 

If there exists an ( Var, ^4gi)-bisimulation 3? between M and such that 
then we write (M, w) ~(var,A g t) {N, it). If there exists an ( Var, ylg£)-bisimulation 
3? between M and N such that for every u £ W M there exists w £ W N such 
that wSftitJ and, conversely, for every id £ W N there exists u £ W M such that 
u$tw, then we write M ~(Var.A g t) N. The following result shows that ( Var, Agt)- 
bisimulation preserves properties in the language £(var,A g t)- 

Lemma 1. If M and N are Kripke structures and u and w are worlds of M 
and N such that (M,u) ~iv a r,A g t) (N,w), then for all ip £ £/var,A g t) we have 
M,u\=ip if and only if N,w \= (p. If M ~( Var ,A g t) N then for all ip £ C {Var ^ Agt) 
we have M \= <p if and only if N \= <p. 

We omit the proof since it is a minor variant of well-known results in the 
literature. In our applications of this result, we will consider a complex, con- 
crete structure M and a simper, more abstract structure N, and show that 
M 

~(Var,Agt) N. This enables us to verify M \= ip using the model checking 
problem N \= <p, which is likely to be computationally easier in view of the 
smaller size of N. However, we need to also develop an abstraction technique for 
the programs that generate these Kripke structures. We develop this technique 
in the following sections. 



3 A Programming Language and its Semantics 

We use a small multi-agent programming language equipped with a notion of 
observability. All variables are Boolean, and expressions are formed from vari- 
ables using the usual Boolean operators. The language has the following atomic 
actions, in which i and j are agents, x is a variable name and e is an expression: 

1. i : x := e — agent i evaluates e and assigns the result to x, 

2. i : rand(x) — agent i assigns a random value to x, 

3. i : e — > j.x — agent i evaluates e and transmits the result across a private 
channel to agent j, who assigns it to its variable x, 

4. i : broadcast (x) - agent i broadcasts the value of the variable x to all other 
agents. 

Note that we write i.x for agent i's variable x (the variables i.x and j.x are 
considered distinct when i ^ j) but may omit the agent name when this is 
clear from the context. In particular, in an atomic action i : a, any variable x 
not explicitly associated with an agent refers to i.x. For example, we may write 
i : x := y®z rather than i : i.x := i.y ® i.z. Similarly, when e is an expression in 
which agent indices are omitted, and i is an agent, the expression i.e refers to the 
result of replacing each occurrence of a variable name x in e that is not already 
associated to an agent index with i.x. Thus i.(y ® j.z) represents i.y <8> j.z. 

Each atomic action reads and writes certain variables. Specifically, the action 
i : x :— e reads the (agent i) variables in e and writes i.x, the action i : rand(x) 
reads nothing and writes i.x, the action i : e — > j.x reads the (agent i) variables 
in e and writes j.x, and the action i : broadcast (x) reads x and writes nothing. A 
joint action is a set of atomic actions in which no variable is written more than 
once. Intuitively, a joint action is executed by first evaluating all the expressions 
and then performing a simultaneous assignment to the variables. 

A program is given by a sequence of joint actions A\;...;A n . A program for 
agent i is a program in which each atomic action j : a in any step has j = i. We 
permit parallelism within an agent, in the sense that we do not require that a 
joint action contains at most one atomic action for each agent. If we are given 
for each agent i a program Pi = A\; . . . ; A l n , all of the same length n, then we 
may form the joint program \\iPi = (UiA\); . . .; (Uj-AJJ. 

Some well-formedness conditions are required on agent programs. An ob- 
servability mapping is a function ov mapping each agent to a set of variables, 
intuitively, the set of variables that it may observe. A program runs in the con- 
text of an observability mapping, and modifies that mapping. We say that a 
joint action A is enabled at an observability map ov if 

1. no variable written to by A is in ov(i) for any agent i (that is, all variables 
written to are new variables) , and 

2. for each atomic action i : x := e and i : e — > j.x in A, the expression i.e 
contains only variables in ov(i), and 

3. for each action i. broadcast (x) we have i.x E ov(i). 



These constraints may be understood as access control constraints stating that 
agent i may read only the variables in ov(i) and may write only new variables. 

Executing the action A transforms the observability map ov to the observ- 
ability map ov[A] such that oi>L4](i) is the result of adding to ov(i) 

1. all variables i.x such that an action of the form i : x := e or i : rand(x) or 
j : e — > i.x occurs in A, and 

2. all variables j.x such that j : broadcast(x) occurs in A. 

These definitions are generalised to programs: the program P = A\; . . . ;A n is 
enabled at the observability map ov if for each i = 1 . . . n, the action Ai is enabled 
at cwLAi] . . . and we define ov[P] to be ovL4i] . . . [A n \. 

Example 1. Consider a two-agent system with agents The action {i : x := 
j.y} is not enabled at the observability map ov given by {j M> {j.y}}- However, 
the program {j : broadcast (y)}; {i : x := j.y} is enabled at ov, since the action 
{j : broadcast(y)} is enabled at ov, and transforms ov to ov[{j : broadcast (y)}} = 
{j i ^ {j-y}, i >-> {j-y}}, at which the action {i : x := j.y} is enabled. 

We say that an observability map is consistent with a Kripke structure M — 
(Agt, W, {^i}ieAgt, Var, n) when for all agents i, if v is a variable in ov(i) then 
v 6 Var, and for all worlds w,w' € W such that w ~j w' we have ir(w,v) = 
ir(w',v). Intuitively, ov is consistent with M if all variables declared to be local 
to agent i by ov are in fact defined and semantically local to agent i in M. 

The program P is enabled at a Kripke structure M if there exists an observ- 
ability map ov such that 

1. ov is consistent with M, 

2. P is enabled at ov, and 

3. all variables x written by P are not defined in M (i.e., x $ Var). 

In particular, note that if a single joint action A is enabled at M, then for all 
variables x read by A, and all worlds w, the value ir(w, x) is defined. Conse- 
quently, we may also evaluate at w any expression e required to be computed 
by A. We write ir(w, e) for the result. 

We can now give a semantics of programs, in which a program applied to 
a Kripke structure representing the initial states of information of the agents, 
transforms the structure into another Kripke structure representing the states 
of information of the agents after running the program. The definition is given 
inductively, on an action-by-action basis. Let M = (Agt, W, {~j}j e ,4 5 t, Var, n) 
be a Kripke structure and A a joint action. We define a Kripke structure M[A] = 
(Agt' , W, {^'i}ieAgt', Var', it') as follows. Let V be the set of variables i.x such 
that A includes the atomic action i : rand(x). Intuitively, such actions increase 
the amount of non-determinism in the system, whereas all other actions have 
deterministic effects. We define Agt' = Agt and take W to be the set of states 
of the form (w, k) where w G W and k : V — > {0, 1} is an assignment of boolean 
values to the variables in V. We may write w + n for the pair (w, k). In case 
V is the empty set, k is always the null function, so we may write just w for 



(w, n). The set Var' of variables defined in M[A] is obtained by adding to Var 
all variables written to by A. The assignment tt' is obtained by extending n to 
these new variables by defining tt' as follows on worlds w + k: 

1. if v £ Var then ir'(w + k, v) = tt(w, v) , 

2. if i : x := e occurs in A then ir'(w + k, i.x) = tt(w, i.e) , 

3. if i : rand(x) occurs in A then ir'(w + k, i.x) = n(i.x), and 

4. if j : e —¥ i.x occurs in A then tt'(w + K,i.x) = n(w,j.e). 

Finally, the indistinguishability relations ^ are defined using the observability 
map cwL4]: we define w + n ~- w' + k' when w ~j w and for all variables 
.t in ouL4](i) \ ov(i), we have ir'(w + k,x) — n'(w' + k',x). Intuitively, this 
reflects that the agent recalls any information it had in the structure M, and 
adds to this information that it is able to observe in the new state. Note that 
in fact w + k ~ • w' + n' implies n'(w + k, x) — n'(w' + n' , x) for all variables 
x G ow[A](i), since we have assumed that for x G ov(i) we have that w ~j w 
implies n(w, x) — ir(w' , x). Moreover, since the set ow[A](i) \ ov(i) is just the set 
of variables written to by A that are made observable to i, this observation also 
yields that the definition of M\A\ is independent of the choice of observation 
map ov consistent with M. 

4 Chaum's Dining Cryptographers Protocol 

Chaum's Dining Cryptographers protocol is an example of an anonymous broad- 
cast protocol: it allows an agent to send a message without revealing its identity. 
Chaum introduces the protocol with the following story: 

Three cryptographers are sitting down to dinner at their favourite restau- 
rant. Their waiter informs them that arrangements have been made with 
the maitre d'hotel for the bill to be paid anonymously. One of the cryp- 
tographers might be paying for the dinner, or it might have been NSA 
(U.S National Security Agency). The three cryptographers respect each 
other's right to make an anonymous payment, but they wonder if NSA 
is paying. They resolve their uncertainty fairly by carrying out the fol- 
lowing protocol: 

Each cryptographer flips an unbiased coin behind his menu, between him 
and the cryptographer on his right, so that only the two of them can see 
the outcome. Each cryptographer then states aloud whether the two 
coins he can see-the one he flipped and the one his left-hand neighbor 
flipped-fell on the same side or on different sides. If one of the cryp- 
tographers is the payer, he states the opposite of what he sees. An odd 
number of differences uttered at the table indicates that a cryptographer 
is paying; an even number indicates that NSA is paying (assuming that 
the dinner was paid for only once). Yet if a cryptographer is paying, nei- 
ther of the other two learns anything from the utterances about which 
cryptographer it is. 



Chaum shows that this protocol solves the problem, and notes that it can 
be considered as a mechanism enabling a signal to be anonymously transmitted, 
under the assumption that at most one of the agents wishes to transmit. He goes 
on to generalize the idea to n-agent settings where, in place of the ring of coins, 
we have a graph representing the key-sharing arrangement. 

The more general protocol can be represented in our programming language 
as follows. We assume that there is a set Agt of agents, who share secrets based 
on a (directed) key sharing graph G = {Agt, E) in which the vertices are the 
agents in Agt and the edges E C Agt x Agt describe the keysharing arrrangement 
amongst the agents. We model keysharing by assuming that for each edge e = 
(i,j), agent i generates the key corresponding to the edge, and communicates 
the key to j across a secure channel. For each edge e = we write e\ for 

the source agent i and e 2 for the destination agent j. For each agent i we define 
in(i) = {e E E | e 2 = i} and out(i) — {e <E E \ e\ = i). Accordingly, we use 
two variables for each edge e = the variable i.k e stores i's copy of the key 

corresponding to the edge, and the variable j.k e stores j's copy. We write keys(i) 
for in(i) U out(i), i.e., the set of edges incident on i. The protocol Dd(m) of 
an agent i e Agt (in which the message represented by the expression i.m is 
transmitted anonymously by agent i) consists of the following five steps: 



DCi(m) = {i : rand(k e ) j e G out(i)}; 

{i : k e —¥ e2.k e \ e G out(i)} 
{i:b:=m® ® e&keys (i) k e }; 
{i : broadcast (b)}; 
{i : rr := ® 3& Agt j-b} 

Figure 1: The protocol DC 



We write DC(m) for the joint program \ \ i£ A g tDCi(m). 

Intuitively, the protocol DC operates by first generating keys and setting up 
the key sharing graph, and then having each of the agents make a public an- 
nouncement encrypted using all the keys available to them. The directionality of 
an edge in the key sharing graph indicates who generates the key corresponding 
to the edge, viz, the source agent of the edge. The first step of the protocol cor- 
responds to each agent generating the key values for which they are responsible. 
In the second step, these keys are shared with the other agent on the edge by 
transmission across a secure channel. Each agent now has the value of each of 
the key edges on which it is incident, and computes the xor of its message with 
all these key values in the 3rd step, and broadcasts the result in the 4th step. 
In the final step of the protocol, each agent computes the xor of the messages 
broadcast as the result of the protocol. 



5 An Abstraction of the Dining Cryptographers Protocol 



We are interested in protocols in which the DC protocol is used as a basic 
building block, and in model checking the agent's knowledge in the resulting 
protocols. In order to optimize this model checking problem, we now introduce a 
protocol that we will show to be an abstraction of the DC protocol that preserves 
epistemic properties. 

The abstracted version of the protocol omits the use of keys, but adds to the 
set of agents a trusted third party T who computes the result of the protocol 
on behalf of the agents, and then broadcasts it. Here, we take Agt a — Agt U 
{T}. The protocol DCf(m) for agent i is given in four steps, see Figured We 



DCf(m) = {i : m 


-> T.Xi}; (for i G Agt) 


DC£(m) = {}; 


{}; 




{T : y:= ® %e A g t Xi}; 


{}; 




{T : broadcast (j/)}; 


{i : rr 


= y} 


{} 



Figure 2: The abstract protocol DC' 



write DC a (m) for the joint program \\i e Agt*DC£(m). Intuitively, in the abstract 
protocol, the agents transmit their bits across a secure channel to the trusted 
third party, who computes the exclusive-or and broadcasts it. 

Note that since the protocol DC a makes no use of randomization, the set 
of worlds of the structure M[DC a {mj\ is identical to the set of worlds of the 
structure M; only the set of defined variables and the indistinguishability relation 
change. We can characterize the indistinguishability relations of M[DC a (m)] as 
follows, where we introduce the abbreviation ®m for ®i^Agt i-m. 

Lemma 2. If M is a Kripke structure at which DC a (m) is enabled, and u,v 
are worlds of M[DC a (m)} then u r^^ DC ( m » v iff u ~W v and ir M (u, ®m) = 
n M (v, ®m). 

The program DC(m) makes use of randomization, so the structure M[DC(m)] 
has more worlds than the structure M. More specifically, it can be seen that the 
worlds of M[DC(m)] have the form ((w, K2), where k\ assigns boolean val- 
ues to the variables i.k e for e G E and i = e\, and k-i assigns boolean values 
to the variables i.k e for e £ E and i = e-x- Note that by the second step of the 
protocol, we always have Ki(ei.fc e ) = H2{e2-k e ) for all e G E. We may therefore 
abbreviate such a world to w + K, where k : E — > {0, 1}, and we have 

1. t: m ^ dc ^(w + n, ei .k e ) = n(e), 

2. j: M lDC(m)] j u + Kj e2 _ fce) = K(e)j 

3. n M l DC ( m )\(w + n,i.b) = w(w,i.m) ® ® e£k eys{i) «(e), and 



Note that the final equation may be simplified as follows: 

= ® 3 eA 9 t (n^DCim)]^ + K j_ m ) g, ® eekeys{j) K (e)) 
= (®jeAgt TT M (w,j.m)) 
= ir M (w, ®m) 

where the third step follows using the fact each term n(e) occurs twice, once for 
e G keys(ei) and once for e G keys(e-i). Based on this representation, we can 
characterize the indistinguishability relations of M[DC(m)] as follows: 

Lemma 3. If M is a Kripke structure at which DC(m) is enabled, and u + k 
and v + A are worlds of M[DC(m)] then u + n ro * f [ £>c '( m )] v + \ iff 

1. u ^f 1 v and 

2. n(e) — A(e) for all e € keys(i) and 

3. TT M (u,j.m) (g> ®eekeys(j)K(e) = TT M (v,j.m) ® ® ee keys(j)K e ) f or al1 3 e A 9t- 

6 Proof of Abstraction 

The following is implicit^ in the proof of a key result concerning the DC protocol 
that is proved in Chaum [3] (Section 1.4). 

Lemma 4. For all i £ Agt and for all functions k : E — > {0, 1} and fi : Agt — > 

{0, 1} and \j! : Agt — » {0, 1} such that <&i£Agt m(*) = ®ieA g t there exists a 

function A : E — > {0, 1} such that k ] keys(i) = A \ keys(i) and for all j £ Agt, 
we have <g> ® ee heya(j) «(e) = m'C?) ® ®eeke ys (j) K e ) 

Note that the variables introduced by DC(m) are the variables i.fc e , i.& and 
i.rr for i G Aptf and e E E. The variables introduced by DC a {m) are T.iCj, T.y 
and i.rr for i G Agt. Hence the set of variables introduced by both protocols 
is the set {i.rr | i G Agt}. The following result states that these variables are 
introduced by these protocols in such a way as to extend a bisimulation between 
given concrete and abstract structures to the new variables. 

Theorem 1. Suppose that M ~v.Agt M a for a set of variables V containing all 
variables in the expressions i.m for i G Agt, and let DC(m) be enabled at M and 
DC a {m) be enabled at M a . Then M[DC(m)] ^vu{i.rr\ieA g t},A g t M a [DC a (m)}. 

Proof. Let M = (W, Agt, {~i}ieAgt, Prop, tt) and let 

M a = (w a ,Agt a ,{~?} ieAgt «,Prop\n a ) . 

We write 

M[DC(m)} = (W, Agt, {^ ieAgt , Prop', tt') 



2 Chaum's result is stated probabilistically, but the proof is largely non-probabilistic 
and establishes this result. 



and 

M a [DC a (m)} = (W a ',Agt a ,{~?'} teAgta ,Prop a ',7r a ') . 
As noted above, we have W a — W a and 

W' = {w + k | w g W, ft • E — y {0, 1}} • 

Let RCW x W a be the bisimulation relation witnessing M ~v.A g t M a . We 
define the relation 5ft C (W 1 x W a ) as follows: w + K^ftw' if wRw'. We claim 
that this relation witnesses M[DC(m)\ ~vu{i.rr\ieA g t}.A g t M a [DC a (m)\. 

Atoms: We need to check that for all v g V U {i.rr | i g ^4^i}, if w + n 5ft «/ 
then n'(w + k,v) = n a (w',v). For propositions u 6 F, this is immediate from 
the facts that w + K^ftw' implies wRw', that R is a (V, ^4g£)-bisimulation, and 
that tt'(w + k, v) — n(w,v) and n a (w',v) = iT a (w',v). For the variables i.rr, 
we argue as follows. Note that since the variables in i.m are included in V, it 
follows that ir'(w + n,i.m) — ir a (w',i.m), and hence that ir'(w + K, <S>m) = 
7r a (w', (Kim). As noted above, we have n'(w + k, i.rr) — ir'(w + K, 0m). By the 
program for DC a (m), we also have 7r a (it)', i.rr) = 7r a (u>', ®m). Combining these 
equations yields ir' (w + n,i.rr) — ir a (w',i.rr). Thus, we have that 5ft preserves 
all propositions in V U {i.rr \ i g Agt}. 

Forth: Let I g Agt, u+k, v+X g W, and let u a ' g W-™' such that m+k — J v+X 
and m + k 5ft u a . We need to show that there exists v a g W- 70 such that v + X 5ft u a 
and w a ~" w° . We argue as follows. From u + k 5ft u a it follows that uRu a . 
Also, from u + k ~^ w + A it follows by Lemma [3] that u ~j u. Since i? is a 
bisimulation, we obtain that there exists a world u a g W a such that u a ~" v a 
and vRv a . Since W a = we may define v a to be u a . It is immediate from 
the definition of 5ft and the fact that vRv a that v + A5ftv a . To show u a ' ~? w a ' 
we use the characterization of ~" of Lemma [2] We already have that u a ~j u a 
by construction, so it remains to show ir a (u a , ®m) = n a (v a , ®rri). 

From the fact that vRv a , and that all variables in i.m are in V , we have 
that ir(v, ®m) — iT a {v a , ®m). Similarly, from uRu a , we have that n(u, ®m) = 
TT a (u a , ®m). Further, since u+k ~^ v+A, it follows by Lemma[3]that tt(u, ®m) = 
7r(t>, ®m). Combining these equations yields n a (u a ® m) = ir a (v a , <g>m), giving 
the remainder of what we require for the conclusion that u a ~" v a . 

Back: Let i g Agt, u + k g W, and let g VF"' such that u + K5ftit°' 

and u° ~? v a . We need to show that there exists v + X g JV' such that 
u + k ^ v + X and w + A 5ft v a . We identify the world v g W as follows. From 
u + k 5ft u a we have that uRu a and from u a ~™ u a we have (by Lemma [3]) 
that u a ^1 v a . Since i? is a bisimulation, there exists a value v £ W such that 
u ~, v and wi?w a . 

From u a ~? « a and Lemma [U we obtain that 7r° (u a , ®m) = 7r a (w a , ®m), 
hence also 7r a (u a , ®m) = 7r a (u a , ®m). From the fact that i? is a bisimulation 
preserving the propositions V, we get from uRu a and vRv a that 7r(u, ®m) = 
TT a (u a ,®m) and 7r(w, ®m) = 7r a (i> a ,®m). Combining these equations yields 
7r(u, ®m) = 7r(w, ®m). 



Note that vRv a ' implies that v + A 5ft v a ' for all A : E — > {0, 1}, giving half of 
what we require. It therefore remains to find a value of A such that u + k ~^ v + A. 
Since we already have u ~j v, this requires, by LemmaGH that we find A such that 
re(e) = A(e) for all e € keys(i) and tt m (u,j.m) (g> $S> e ekeys(j)K( e ) = tt m {v, j.m) (g> 
®eefeeys(i) A(e) for all j G ^4<7i . Since 7r(u, ®m) = 7r(i>,®m), the existence of 
such a function A is guaranteed by Lemma 01 on taking fi(i) — ir{u,i.m) and 
= 7r(u, i.m). □ 

This result gives us that, modulo bisimulation, the programs DC(m) and 
DC a (m) have the same effect on the agent's mutual states of knowledge. We 
have a similar result if we consider the effect of joint actions A: 

Lemma 5. Let M and M' be Kripke structures such that M ~v,Agt M' , and 
let A be a joint action, writing variables Va, such that A is enabled at both M 
and M' . Then M[A] ~vuv A ,A g t M'[A], 

Proof. Suppose R is a bisimulation witnessing M ~v,Agt M' , and we represent 
the worlds of M[A] asw + K where w is a world of M and k : Va — t {0, 1}, where 
i m I a '(k) + k,v) = k(v) for v £ Va- (This requires some constraints on the set of 
w + k, to handle the case of variables v € Va that are not written by i : rand(v) 
statements.) The worlds of M'[A] may be similarly represented as w + K where 
w is a world of M'. 

Then it is easily shown that the relation r' defined by u + n R' v + A if uRv 
and k = A is a bisimulation. □ 

Combining Theorem [1] and Lemma we obtain the following by a straight- 
forward induction. (Note that we use fresh variables k e , b, rr, xi and y in each of 
the instances of DCt and DC?.) 

Theorem 2. Let M and M a be Kripke structures with M ~v,Agt M a , and let 

P = Q x ;DC{mx); Q 2 ;DC(m 2 ); . . . DC(m k ); Q k+1 and 
P a = Qi;DC a { mi ); Q 2 ; DC a (m 2 ); . . . DC a {m k ); Q k+1 

where the Qi are programs involving agents Agt. Let V' be the set of all variables 
written by the programs Qi, as well as the variables i.rr introduced by the DC 
instances. Assume that the Qj and m,j read only variables from V U V . Then if 
P is enabled at M , and P a writes no variable in M a , then P a is enabled at M a 
andM[P] ~vuv,AgtM a [P a }. 

This result states that if we have a complex protocol P, constructed by using 
multiple instances of the DC protocol interleaved with other actions, then we 
abstract P by abstracting each of the instances of DC to DC a , while preserving 
the truth values of all epistemic formulas. This enables optimization of model 
checking epistemic formulas in M[P] by applying model checking to M [P a ] in- 
stead. (Note that always M w M.) 



7 The Two-phase Anonymous Broadcast Protocol 



As noted above, the basic version of the Dining Cryptographers protocol enables 
a signal to be anonymously transmitted under the assumption that at most 
one agent wishes to transmit. One of Chaum's considerations is the use of the 
protocol for more general anonymous broadcast applications, and he writes: 

The cryptographers become intrigued with the ability to make messages 
public untraceably. They devise a way to do this at the table for a state- 
ment of arbitrary length: the basic protocol is repeated over and over; 
when one cryptographer wishes to make a message public, he merely 
begins inverting his statements in those rounds corresponding to l's in a 
binary coded version of his message. If he notices that his message would 
collide with some other message, he may for example wait for a num- 
ber of rounds chosen at random from some suitable distribution before 
trying to transmit again. 

As a particular realization of this idea, he discusses grouping communication 
into blocks and the use of the following two-phase broadcast protocol using slot- 
reservation: 

In a network with many messages per block, a first block may be used 
by various anonymous senders to request a "slot reservation" in a second 
block. A simple scheme would be for each anonymous sender to invert 
one randomly selected bit in the first block for each slot they wish to 
reserve in the second block. After the result of the first block becomes 
known, the participant who caused the ith bit in the first block sends in 
the ith slot of the second block. 

This idea has been implemented as part of the Herbivore system [ID]. 

Chaum's discussion leaves open a number of questions concerning the pro- 
tocol. For example, what exact test is applied to determine whether there is a 
collision? Which agents are able to detect a collision? Are there situations where 
some agent expects to receive a message, but a collision occurs that it does not 
detect (although some other agent may do so?) Under what exact circumstances 
does an agent know that some agent has sent a message? When can a sender be 
assured that all others have received the message? 

In previous work, we have studied such questions in a 3-agent version of the 
protocol [2] . Our approach was to model the protocol as a knowledge-based pro- 
gram and to use cpistemic model checking as a tool to help us identity precisely 
the conditions under which an agent obtains some types of knowledge of interest. 
The approach helped us to identify some unexpected situations in which relevant 
knowledge is obtained. We recap the definition of knowledge-based programs and 
our formulation of the 2-phase protocol as a knowledge-based program in the 
following sections, after which we study this knowledge-based program further 
using the abstraction developed above. 



8 Implementation of Knowledge-based Programs 

Knowledge-based programs [9. are like standard programs, except that expres- 
sions may refer to an agent's knowledge. That is, in a knowledge-based program 
for agent i, we may find statements of the form "v := 0" , where <fi is a formula of 
the logic of knowledge, i.e., a boolean combination of atomic formulas concerning 
the agent's observable variables and formulas of the form Kitp. 

Unlike standard programs, knowledge-based programs cannot in general be 
directly executed, since the satisfaction of the knowledge subformulas depends 
on the set of all runs of the program, which in turn depends on the satisfaction 
of these knowledge subformulas. This apparent circularity is handled by treat- 
ing a knowledge-based program as a specification, and defining when a concrete 
standard program satisfies this specification. We give a formulation of the se- 
mantics of knowledge-based programs tailored to the programming language of 
the present paper. 

Suppose that we have a concrete program P of the same syntactic structure 
as the knowledge-based program P, in which each knowledge-based expression <j> 
is replaced by a concrete predicate p$ of the local variables of the agent. Starting 
at an initial Kripke Structure Mo, the concrete program P generates a set of runs 
that form the worlds of a Kripke Structure Mq [P] . We now say that P is an im- 
plementation of the knowledge-based program P from Mq if for each joint action 
A in the program P, corresponding to a joint action A in the knowledge-based 
program, if we write P = Pq; A; Pi, where Pq and Pi are programs, then for each 
knowledge condition <f> occurring in A, we have Mo[Po] |= P4, <=>• <fi. That is, the 
concrete condition is equivalent to the knowledge condition in the implementa- 
tion at each point in the program where it is used. (In a more general formulation, 
where knowledge conditions may contain temporal operators, knowledge-based 
programs may have no implementations, a behaviourally unique implementa- 
tion, or many implementations, but for the restricted language we consider it 
can be shown that there is a unique implementation.) 

We now describe a partially automated process, using epistemic model check- 
ing, that can be followed to find implementations of knowledge-based programs 
P. The user begins by introducing a local boolean variable for each knowl- 
edge formula 4> — Kiip in the knowledge-based program, and replacing <f> by v^. 
Treating as a "history variable" , the user may also add to the program state- 
ments of the form :— e, relying on their intuitions concerning situations under 
which the epistemic formula </> will be true. This produces a standard program 
P that is a candidate to be an implementation of the knowledge-based program 
P. (It has, at least, the correct syntactic structure.) To verify the correctness of 
P as an implementation of P, the user must now check that the variables are 
being maintained so as to be equivalent to the knowledge formulas that they are 
intended to express. This can be done using epistemic model checking, where 
we verify formulas of the form at points in the program where the 

condition 4> is used. 

In general, the user's guess concerning the concrete condition that is equiv- 
alent to the knowledge formula may be incorrect, and the model checker will 



report the error. In this case, the model checker can be used to generate an 
error trace, a partial run leading to a situation that falsifies the formula being 
checked. The next step of our process requires the user to analyse this error 
trace (by inspection and human reasoning) in order to understand the source of 
the error in their guess for the concrete condition representing the knowledge 
formula. As a result of this analysis, a correction of the assignment(s) to the 
variable v,p is made by the user (this step may require some ingenuity on the 
part of the user.) The model checker is then invoked again to check the new 
guess. This process is iterated until a guess is produced for which all the for- 
mulas of interest are found to be true, at which point an implementation of the 
knowledge-based program has been found. We refer the reader to our previous 
work 2 for further discussion and examples of the application of this iterative 
process. (We deemphasize the process in the present paper, and focus on the 
results. ) 

9 The Two-phase Broadcast Protocol as a 
Knowledge-based Program 

We now give a formulation of Chaum's two-phase protocol (see Section [7J as 
a knowledge-based program, and discuss the associated verification conditions. 
(The knowledge-based program is similar to that given in our earlier work, but 
includes some improvements.) 

We assume that there are n agents, and Agt = {l..n}. Figure [3] represents 
the 2-phase protocol by giving a knowledge-based program for agent i. The 
local variable slot-request, assumed to be defined in the structure from which 
the program is run, records the slot number (in the range l..n) that this agent 
will attempt to reserve. If slot-request=0, then the agent will not attempt to 
reserve any slot. The variable message, also assumed to be defined, records the 
single bit message that the agent wishes to anonymously broadcast (if any) . The 
program introduces the variables rcvdO and rcvdl, as well as a variable dlvrd. 
(Additional new variables, are implicit in the instances of DC^.) 

The term conf lict(s) in the knowledge-based program represents that there 
is a conflict on slot s. This is a global condition that is defined as 



i.e., there exist two distinct agents i and j both requesting slot s. 

The term sender(i, ir) represents that an agent is sending message x. Thus, 
the variable rcvdO is assigned to be true if the agent learns that someone is 
trying to send the bit 0, and similarly for rcvdl [s] . However, there are some 
subtleties in the implementation that lead us to consider two distinct versions 
of the program. In one version, called strong reception, we use the definition 



conf lict(s) 




(i . slot-request = s = j . slot-request) . 





(j. message = x A j. slot-request =/= 0) . 



p* = { 

local variables: 

slot-request: [0..n], 

message: Bool, 

rcvdO, rcvdl, dlvrd: Bool; 
//reservation phase 
for (s = 1; s < n; s++) 
{ 

DC;(slot-request=s); 

} 

//transmission phase 
for (s = 1; s < n; s++) 
{ 

DC;(if (slot-request = s A -^Ki(conf lict(s)) 
then message 
else false) ); 

} 

rcvdO:= A' i (sender(i, 0)); 
rcvdl := _Ki(sender(i, 1)); 

dlvrd:= /\ xeBool ((message = x A slot-request 7^ 0) => 

^(A^i^sender^a;))) 

} 

Figure 3: The knowledge-based program CDC 

That is, we take an agent to have received the bit if it knows that some other 
agent is sending the message x. In the other, that we refer to as weak reception, 
we define 

sender(i, x) = \J (j.message = x A j. slot-request 7^ 0) . 

3 

That is, we take an agent to have received the bit if it knows that some agent 
is sending the message x, possibly itself. Since an agent always knows its own 
message x, it trivially knows sender(i,x) if it is trying to send a message (i.e., 
i. slot-request 7^ 0), so this may seem very weak. However, since other agents 
may consider it possible that the agent is not seeking to send a message, we 
see that it becomes of greater interest in the context of an agent's knowledge of 
delivery of its message, represented by the assignment for the variable dlvrd. 

We note that this representation of the 2-phase protocol as a knowledge- 
based program is speculative: an agent transmits in a slot so long as it does not 
know that there is a conflict. This allows that a collision will occur during the 
transmission phase. 

Since an agent may attempt to reserve a slot, and then back off, or may send 
in a reserved slot without success because of a collision during the transmission 
phase, the protocol does not guarantee that the message will be delivered. In 
this case, the agent is required to retry the transmission in the next run of 
the protocol. So that it can determine whether a retry is necessary, the final 



assignment to the variable dlvrd captures whether the agent knows that its 
(anonymous) transmission has been successful, this assignment captures that 
the transmission is successful if the agent knows that the other agents know 
that some agent is sending its message. We similarly refer to weak delivery and 
strong delivery depending on which version of the predicate sender(i, x) is used|f| 

We remark that the knowledge-based program is interpreted with respect to 
the assumption of perfect recall, and implementations may make use of of history 
variables to capture observations that the agent makes during the running of the 
protocol. Thus, by placing the reception and delivery assignments at the end of 
the program (rather than just after each DC instance), we ensure that the agents 
are able to behave optimally by making use of all information they gather during 
the running of the program. As we discuss below, this allows us to capture some 
subtle sources of information. 

In Figure HI we give the generic structure of a possible implementation of the 
knowledge-based program, as we seek using our partially-automated process. The 
variable kc [s] is used to represent the epistemic condition concerning conflict in 
the knowledge-based program (i.e., -iiQ(conf lict(s))). Thus, in verifying that 
we have an implementation, the key condition to be checked is whether kc [s] 
-iiQ(conf lict(s)) just after this variable is assigned. The main difficulty in 
finding an implementation is to find the appropriate concrete assignment (to 
take the place of the "???") for this variable that will make this condition valid. 
Similarly we seek assignments to the variables rcvdO[s] , recvdl [s] that give 
these the intended meaning. 

We note that each of the instances of the protocol Dd introduces additional 
variables, which may be used in the concrete predicates we substitute for the 
"???" . In particular, they introduce round result variables, which we denote by 
rr[t] for t G {1..2n}. Here rr[t) represents the round result variable from the 
£-th instance of DCi in the implementation. The implementations also introduce 
key variables k e and 6, which need to be separated in the different instances: we 
may similarly use k e [t] and b[t] to denote the t-th instance of such a variable. 

We now discuss the formulas that are used to verify the implementation. 
As discussed above, these conditions need to be verified at specific stages of 
the program, viz., the step before the occurrence of the knowledge formula of 
interest. 

The first formula of interest concerns the correctness of the guess for the 
knowledge condition -^(conf lict(s)) (in case of the speculative implementa- 
tion, or Ki(^coni lict(s)) (in the case of the conservative implementation). In 
the implementation, this condition is represented by the variable kc [s] . 

Specification 1: kc [s] correctly represents knowledge of the existence of a 
conflict in slot s = 1..3. 

i.kc [s] -^(conf lict(s)) (1) 

3 We remark that in case of weak delivery, replacing the expression 
Aj^i Kj -sender (j, x) by /\ . K 3 sender(j, x) in the assignment to dlvrd would 
have no effect, since in the weak case it always holds that (i.message = 
x A i. slot-request ^ 0) => iC;(sender(i, x)). 



Pi = { 

local variables: 

slot-request: [0..n], 

message: Bool, 

rcvdO, rcvdl, dlvrd: Bool, 

kc[n]: Bool; 
//reservation phase 
for (s = 1; s < 3; s++) 
{ 

DCi(slot-request== s); 

} 

//transmission phase 
for (s = 1; s < n; s++) 
{ 

kc[s] :=???; 

DCi(if (slot-request== s A kc[s]) 
then message 
else false); 

} 

rcvdO := ???; 
rcvdl := ???; 
dlvrd:= ??? 

} 

Figure 4: A generic implementation of CDC 

Next, the protocol has some positive goals, viz., to allow agents to broadcast 
some information, and to do so anonymously. Successful reception of a bit is 
intended to be represented by the variables rcvdO and rcvdl. To ensure that 
the assignments to these variables correctly implement their intended meaning 
in the knowledge-based program, we use specifications of the following form. 

Specification 2: reception variables correctly represent transmissions by others 

z.rcvdO _?Q(sender(i, 0) (2a) 

and 

i. rcvdl <^> Ki(sender(i, 1)) (26) 

Similarly, we need to verify correct implementation of the agent's knowledge 
about whether its transmission is successful. 

Specification 3: delivery variables correctly represent knowledge about delivery 

i. dlvrd l\ xeBool {i- message = x A i. slot-request / 
KiiAjjti Kjsender(j, x))) 

There are strong and weak versions of Specifications 2 and 3, depending on 
the choice for sender(z, x). 

Finally, the aim of the protocol is to ensure that when information is trans- 
mitted, this is done anonymously. An agent may know that one of the other two 



agents has a particular message value, but it may not know what that value is for 
a specific agent. We may write the fact that agent i knows the value of a boolean 
variable x by the notation Ki(x), defined by Ki(x) — Ki{x) V Ki{-*x) . Using 
this, we might first attempt to specify anonymity as f\j ^(-liTi^'.message)), 
i.e., agent i knows no other's message. Unfortunately, the protocol cannot be 
expected to satisfy this: suppose that all agents manage to broadcast their mes- 
sage and all messages have the same value x: then each knows that the other's 
value is x. We therefore write the following weaker specification of anonymity: 
Specification 4'- The protocol preserves anonymity 

V K i(/\U- message = x)) V f\ (-.^(j.message)) . 
This is checked at the very end of the protocol. 
10 Model Checking Performance 

To verify the specifications for the knowledge-based program in a putative imple- 
mentation, we have applied the epistemic model checker MCK [?]. We refer the 
reader to our previous work [2] for a description of some of the particularities of 
how this is done. Since the details are straightforward, we focus here on how the 
abstraction developed in this paper impacts the performance of model checking. 

We would like to verify whether a putative implementation P implements 
the knowledge-based program P from an initial structure Mq. This requires that 
we model check the formulas from the previous section. Since these formulas 
concern only the initial variables of the agents, and variables introduced outside 
the scope of the DCi calls, it follows from Theorem [5] that we may verify instead 
whether these formulas hold at appropriate times during the running of the 
abstract program P a that we obtain by replacing each instance of DCi in P by 

i >(:■ 

We have performed some experiments in which we use MCK for this model 
checking problem. MCK is a symbolic model checker, and model checking a for- 
mula involves first building a symbolic (Binary Decision Diagram [T3]) represen- 
tation of the model itself, and then using this representation in the construction 
of a symbolic representation of the situations where the particular formula of 
interest is false. All specifications are checked using the perfect recall interpre- 
tation of knowledge and the model checking algorithm for this semantics which 
is described in [21] (which is flagged by spec_spr_xn in MCK). To estimate 
individual formula timings, we deduct model construction times (estimated by 
the time to model check the specification True), from the actual time for model 
checking each specification (which includes model construction and formula ver- 
ification time.) All experiments are conducted on a PC with Intel(R) Xeon(R) 4 
x 3 GHZ, and 16 GB memory, using MCK 0.1.1. Where the execution crashed 
due to a memory error, we report "x" in the tables. 

Our methodology for identifying an implementation of the knowledge-based 
program requires that we perform model checking on number of different approx- 
imations to the final implementation, and, when a specification fails, using the 



counter-example found to revise the approximation. Table [T] gives the runtimes 
for the initial program, in which we guess the predicate False for the imple- 
mentation of all knowledge formulas in the knowledge-based program. For each 
specification x we give runtimes for model checking the specification in the con- 
crete program and the abstract program (indicated by x a ). We count the cost 
of verifying all instances of the specification required to check the correctness of 
the implementation at different times where the knowledge condition occurs in 
the program. (With n agents, we need to check Specification 1 at n locations in 
the implementation, but specifications 2-4 just once.) As we improve the approx- 
imation, the program becomes more complex, and the model checking runtimes 
increase. In Table [2]we give the runtimes for the final approximation, in which we 
have identified a program that is verified as implementing the knowledge-based 
program. 
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Table 2. Model Checking Runtimes (seconds) - final implementation 



For a more detailed indication of the impact of the abstraction, Table [3] com- 
pares the runtimes for model checking the anonymity specification (Specification 
4) in the concrete and abstract programs for the final implementation after a 
given number of rounds of the Dining Cryptographers Protocol. Note that the 
maximum number of rounds of Dining Cryptographers in the 2-phase protocol 
is twice the number of agents. 

In all these experiments, the runtimes obtained indicate that the abstraction 
results in a significant decrease of runtimes, (in some cases of several orders 
of magnitude) and helps to bring problems of larger scale (in particular, with 
larger numbers of agents and greater numbers of rounds of the basic Dining 
Cryptographers protocol) within the bounds of feasibility of model checking. 
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Table 3. Model Checking Runtimes (seconds) for Specification 4 



11 Implementations of the knowledge-based program 

Using the optimization obtained from the abstraction, we have been able to 
extend our previous analysis of the knowledge-based program in the 3-agent case 
to the cases of 4 and 5 agents, gaining more insight into the n-agent case for 
general n. We now describe the implementations we found for the program, which 
demonstrate that the protocol contains some further subtle flows of information 
beyond those we found in the 3 agent case. 

One point worth noting is that, in addition to providing an optimization of 
epistemic model checking, our abstraction result also provides information that 
is useful in the search for an implementation of the knowledge-based program. 
Observe that the variables k e do not occur in the abstract version of the pro- 
tocol, nor in the formulas we need to check to verify an implementation. Thus, 
in guessing a concrete predicate to be substituted for one of the knowledge con- 
ditions, we can confine our attention to predicates that do not contain the k e 
variables. Indeed, since i.b is computed from information already at agent fs 
disposal, we need only consider predicates based on agent i's initial information 
and the round result variables rr[k}. 

The first knowledge condition we need to implement, for Specification 1, 
is ^.fQconf lict(s). Plainly, one situation where an agent knows that there is 
a conflict is when it attempts to reserve a slot and the round result for the 
reservation is not 1. (So an even number of agents attempted to reserve the 
slot.) Thus, one potential implementation for ^_?Qconf lict(s) is the assignment 
kc[s] := -i(slot-request = s A rr[s] = 0). Model checking Specification 1 for 
this predicate at the point of the s-th transmission confirms in all of the cases 
n = 3,4, 5 that this captures the knowledge condition -li^conf lict(s) exactly 
at this point: there are no other ways that the agent can know of a conflict on a 
slot before transmitting on it, besides seeing a reservation clash. (In particular, 
previous transmissions do not contain any relevant information.) 

It is interesting to consider not just the knowledge condition -li^conf lict(s) 
that occurs in the program, but also the stronger condition JQ-iconf lict(s) (the 
formula Ki~>p ->Kip is a validity of the logic of knowledge). For example, if 
an agent who is broadcasting on a slot knows that all other agents know the 
slot is conflict free, then it knows that its message will be delivered. Thus, we 



have also added a local variable conf lict-f ree(s) to the implementation, for 
s = 1 . . . n, and and sought assignments to this variable that satisfy the formula 
z.conf lict-f ree(s) <^=> /Q-iconf lict(s). This turns out to be quite a subtle 
matter. 

To express this condition, it is useful to introduce a formula Co = x where 
x e {0, . . . , n} to express that the number of 0's obtained as round results in the 
reservation phase is x. We may then note the following situations in the protocol 
in which /Q-iconf lict(s) holds. 

— If Co = or Co = 1, then the agent knows there is no conflict on any slot. 
Note that in this case there are at least n—\ agents who are requesting the 
at least n — 1 distinct slots with reservation round result 1 , leaving at most 
one further agent. If this agent had requested any of the slots with round 
result 1, this would have caused a 2-way reservation clash, contradicting the 
observed round result of 1. Hence this agent did not request any slot, and 
all slots are conflict-free. 

— If Co > 2, then in general, an agent cannot determine whether or not there is 
a conflict on any of the reserved slots, since there may be a 3- way clash on one 
of these slots. However, in the particular case where Co = 2 and the agent 
itself does not request any slot (slot-request =0) then n — 2 agents are 
accounted for by the n — 2 slots on which we see a reservation round result 
of 1, and the remaining one agent cannot be assigned to ay slot without 
changing the round result, and hence the count. Hence this agent cannot be 
requesting a slot, and the agent knows that all slots are conflict-free. 

— Note that if Co = 2 or Co = 3, and the agent requests a slot but detects a 
collision at slot reservation time, then there must have been at least 2 agents 
requesting this slot, leaving at most n — 2 agents for the n — 1 other slots, 
where we see either n — 3 or n — 4 slots with reservation result of 1. This 
means at least n — 1 or n — 2 agents are accounted for in total, so the number 
of agents remaining to contribute to a further collision on the remaining n— 1 
other slots is at most 1. This agent can not be assigned to any slot without 
changing the round result for that slot, so it must not be requesting a slot. 
Thus, all the other n — 1 slots are collision free. 

— The above cases use information from the reservation phase. Agents may 
also be able to deduce that slots are conflict-free as a result of information 
they obtain during the transmission phase. If Co = 2 or Co = 3, the agent 
requests a slot and obtains a reservation round result of 1 for this slot, but 
then detects a collision at transmission time, then there must have been at 
least a 3- way collision on that agent's slot, and by a similar argument to the 
previous case, we deduce that all the other slots are collision free. 

These conditions may be captured by the assignment 

i.conf lict-f ree(s) := C = V C = 1 V (C = 2 A i. slot-request = 0)V 
((C = 2 V C = 3) A Vr=i( s t A i- slot-request = t A rr[t] = 0))V 
((C = 2 V C = 3) A \/" =1 (s ^ t A i. slot-request = t A rr[t] = 1 

Arr[n + t] ^ i. message)) 



The above formula states several concrete conditions under which the agent 
knows there is no conflict on a particular slot s. We have verified by model 
checking that for n = 3, 4, and 5 that, at the end of the protocol, for all slots 
s we have i.conf lict-f ree(s) i^-iconf lict(s), and conjecture that it holds 
for all n. 

We remark that in the case of Co = or Cq = 1, this information is available 
to all agents, and it is common knowledgeQ that all slots are conflict free. In 
the other cases, collision freedom on a slot may be known to some agents but 
not to others. For example, consider the situation with n — 4 and where the 
slot-request and message values and round results are given as in Figure[SJa). 
Here agent 2 sees a reservation collision and two l's elsewhere, so knows that 
slots 1 and 4 are collision free. However, agent 1 does not know this, since the 
scenario of Figure [S^b) is consistent from its viewpoint, and here there is a 
collision on slot 4. 
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Figure 5: Collision Freedom is not Common Knowledge 



As mentioned above, we consider in this paper a speculative version of the 
knowledge-based program, in which an agent transmits its message in its re- 
quested slot s in the transmission phase if -li^conf lict(s). One could also 
study a conservative version, where an agent only transmits if J^-iconf lict(s). 
The analysis above shows that this would lead to a much more complicated 
implementation^!, where, moreover, the agent would transmit only in the low 
probability case when almost all other agents also have a message to send, and 
they happen to pick distinct slots! 

Returning to the implementation of the speculative version, we need to find 
the appropriate assignments to the variables rcvdO, rcvdl and dlvrd, for which 
we have strong and weak versions. 

Strong Version: In this case, reception of a bit x means that the agent knows 
that some other agent is sending that bit x. An obvious situation where this is 
the case is where the agent is not itself sending in the slot, the reservation round 
result is 1, and the bit x is observed as the round result in the corresponding 

4 A fact is common knowledge [12] if all agents know it, all agents know that all other 
agents know it, and so on for all levels of iteration of knowledge. 

5 For a number of reasons, including the fact that we need an implementation of the 
knowledge condition at all transmission steps, rather than just at the end of the 
protocol, the above condition is not yet adequate for such an implementation. 



transmission slot. Note that there may still be a collision on that slot, but since 
the number of agents in the collision is then odd, at least one must be sending 
x. As we noted in our previous work [2J, there is another, less obvious, situation 
when an agent can know that another agent is sending a bit i in a slot, viz., 
when the agent is itself transmitting bit y in that slot and observes that the 
round result for the transmission is the compliment of y. Since the number of 
other agents in the conflict must be even, there must be both another agent 
sending and another agent sending 1 in the slot. We have verified by model 
checking in the case of 3-5 agents that with the assignment 

z.rcvda; := Y™ =1 ((i. slot-request ^sA rr[s] = 1 A rr[n + s] = x) V 

[i. slot-request = s A rr[s] = 1 A rr[n + s] ^ i.message)) 

Specification 2 is satisfied in the strong version. 

For the delivery condition, we have verified that the assignment 

dlvrd := (slot-request ^ A (C = V C = 1))V 
(slot-request ^0 A message = 1 A 

V s ^t, s ,t=l..J rr H = rr W = 1 A rr I" + S l = rr I n + *] = !)) V 

(slot-request ^0A message = A 

V s#t , M =i..„(rr[s] = rr[t] = 1 A rr[n + a] = rr[n + t} = 0)) 

works for Specification 3 in the strong version for the cases n=3-5. The intuitions 
for this formula are as follows. In the case Co = V Co = 1, as discussed above, 
it is common knowledge that all slots are conflict-free, so all transmissions are 
guaranteed to be delivered. As just noted, an agent who is not sending on a slot 
receives the value transmitted on that slot. However, an agent sending on a slot, 
and not noticing a clash on the transmission, considers it possible that there are 
other agents transmitting the very same value on that slot, and these will not 
know that there is another agent transmitting on the slot. However, if there are 
at least two distinct reserved slots where that value is transmitted, then each 
receives the value from some slot other than the one on which it transmits. This 
is expressed in the remainder of the formula. 



Weak Version: In the weak interpretation, we require only that a receiver 
learn that someone, possibly themselves is sending a message. The problem of 
undetected collsions in the transmission phase does not arise here, and the im- 
plementation is more straightforward. We have verified in the 3-5 agent settings 
that the following assignments work: 

n 

rcv&x := (slot-request ^ A message = x) V \l (rr[s] = 1 A rr[n + s] = x) 

s=l 

n 

dlvrd := slot-request ^ A y (rr[s] = 1 A rr[n + s] = message) 

s=l 

Intuitively, in this case, an agent's own message counts as a delivery, and mes- 
sages observed on reserved slots can be taken at face value. 



Finally, the anonymity property, Specification 4, has been verified to hold in 
all the implementations obtained from the assignments discussed above, when 
n = 3 — 5. 

12 Related Work 

Abstractions of the kind we have studied, relating a protocol involving a trusted 
third party to a protocol that omits the trusted third party, are often used in 
theoretical studies to specify the objectives of a multi-party protocol. One ex- 
ample where this is done in a formal methods setting is work by Backes et al [T] , 
who study the abstraction of pi- calculus programs based on multi-party compu- 
tations. Where we consider a model checking approach to verification, with an 
expressive epistemic specification language, they use a type-checking approach. 
Their notion of abstraction is richer than the bisimulation-based approach we 
have taken, in that they also deal with probabilistic and computational concerns. 
However, as we have noted, we are interested in the preservation of a set of epis- 
temic properties (nested knowledge formulas) that is richer in some dimensions 
than is usually considered in this literature. Our abstraction result could be 
easily strengthened to incorporate probability, as was done for a secure channel 
abstraction by van der Meyden and Wilke [35]. However computational com- 
plexity issues mesh less well with epistemic logic, and developing a satisfactory 
solution to this remains an open problem. 

Epistemic model checking is less developed than model checking for tempo- 
ral logic, and many possible optimization techniques remain to be explored for 
this field. Other approaches using abstraction in the context of epistemic model 
checking include |6l5j . These works are orthogonal to ours in that where we are 
concerned with an abstraction of a particular primitive (the Dining Cryptogra- 
phers protocol), that works for all formulas, they are concerned with symmetry 
reductions or deal with a more general class of programs than we have consid- 
ered, but need to restrict the class of formulas preserved by the abstraction. 

Other model checkers for the logic of knowledge are under development but 
MCK remains unique in supporting the perfect recall semantics for knowledge 
using symbolic techniques. DEMO [23. implicitly deals with perfect recall, but 
is based on a somewhat different logic (epistemic update logic), and uses explicit 
state model checking techniques, so it is not clear if it could be used for the type 
of analysis and scale of programs we have considered in this paper. MCMAS 
[TB] . MCTK [2UJ and VERICS [7] are based on the observational semantics for 
knowledge (which is also supported in MCK). 

It is possible in some cases to represent the perfect recall semantics using 
the observational semantics (essentially by encoding all history variables into 
the state) and this approach is used in [T7] to analyse the same 2- phase pro- 
tocol as we considered in this paper. However, this modelling is ad-hoc and the 
transformation from perfect recall to observational semantics is handled man- 
ually, making it susceptible to missing timing channels if not done correctly. 
(Moreover, we did briefly experiment with such a modeling for the large pro- 



grams studied in this paper, but found that the perfect recall model checking 
algorithms outperform the observational semantics model checking algorithm on 
these programs.) The work of [T7] does not view the protocol as a knowledge- 
based program, as we have done, nor do they consider abstraction. 

Knowledge-based programs have been applied successfully in a number of ap- 
plications such as distributed systems, AI, and game theory. They have been used 
in papers such as [811111313118] in order to help in the design of new protocols or 
to clarify the understanding of existing protocols. Examples of the development 
of standard programs from knowledge-based programs can be found in [1918115] . 
The approach described in these papers is different from the one we discussed 
here in that it is done by pencil and paper analysis and proof. Examples of the 
use of epistemic model checkers to identify implementations of knowledge-based 
programs remain limited. One is the work of Baukus and van der Meyden [3] 
who use MCK to analyze several protocols for the cache coherence problem using 
knowledge-based framework. 

The 2-phase protocol has been implemented in the Herbivore system [10 , 
which elaborates it with protocols allowing agents to enter and exit the system, 
as well as grouping agents in anonymity cliques for purposes of effciency. Variants 
of the protocol have also been considered by Pfitzman and Waidner [23] . These 
would make interesting case studies for future applications of our approach. 



13 Conclusion 



We have established the soundness of an abstraction for of protocols based on 
the Dining Cryptographers, and applied this result to optimize epistemic model 
checking of protocols that use Dining Cryptographers as a primitive. Our exper- 
imental results clearly demonstrate that the abstraction yields efficiency gains 
for epistemic model checking in interesting examples. In particular, we have used 
these gains to extend an analysis of a knowledge-based program for the 2-phase 
protocol, and derived some interesting conclusions about the subtle information 
flows in the protocol. Several research directions suggest themselves as a result 
of this work. One is to complete the analysis of the knowledge-based program 
for all numbers of agents. We conjecture that our present implementation can 
be shown to work for all numbers of agents, and it would be interesting to 
have a proof of this claim: this would have to be done manually rather than by 
model checking, unless an induction result can be found for the model checking 
approach. Another direction is to consider richer extensions of the 2-phase pro- 
tocol, addressing issues such as messages longer than a single bit, agent entry 
and exit protocols, as well as adversarial concerns such as collusion, cheating 
and disruption of the protocol. We hope to address these in future work. 

Acknowledgments: Thanks to Xiaowei Huang and Kai Englehardt for com- 
ments on an earlier version of the paper. 
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